Every pharmaceutical manufacturer, or let us say manufacturer of any goods, want to manufacture a product of best quality which shall complies with all the applicable regulations, guidelines, specifications etc. In pharmaceuticals, this becomes a bigger challenge as the failure to meet any of the quality attributes shall pose a higher risk of product being unsafe, lower efficacy or lower quality. The risk of failure of pharmaceuticals is really severe as it may endanger the life of the person consuming the same, as both safety as well as efficacy is expected from a good drug product.

This is important to understand for any manufacturer that the quality of the product shall be maintained through the entire product life cycle i.e. from the product development to the product consumption.

In addition to the manufacturers, even assessment of risks associated with products and processes helps the regulatory authorities to ensure the quality of medicines being marketed.

The question arises here are what is a risk, how to identify it, which risk is of importance, how to mitigate the same and whether if we cannot completely eliminate the risk then can we live with it? And many more…..

The following article shall try to address all the above-mentioned concerns.

What is a Risk?

As per ICH Q9, the risk is defined as the combination of the probability of occurrence of harm and the severity of that harm.

Better implementation of Good Manufacturing Practices (GMPs), self-inspections, internal and external audits etc. helps to assure that system and processes are running in a state of compliance and the firm is at low risk of producing any product or service of inferior quality.

What is Quality Risk Management?

As per ICH Q9, Quality Risk Management (QRM) is defined as a systematic process for the assessment, control, communication and review of risks to the quality of the drug (medicinal) product across the product lifecycle. QRM is the continuing process of appropriately managing risks to product quality throughout the product’s life-cycle. QRM can be applied both proactively and retrospectively.

QRM helps to ensure that the product (drug) being manufactured is of highest quality by reducing the risks to product quality. It can only happen by proactively identification, assessment, mitigation, reduction and acceptance of any probable risks associated with it. QRM also helps the regulators to understand the firm’s quality systems better and provides requisite assurance that the implemented quality system is in a state of compliance.

Principles of Quality Risk Management

The primary principles of QRM are:

  • The evaluation of the risk to quality should be based on scientific knowledge and ultimately link to the protection of the patient; and
  • The level of effort, formality and documentation of the quality risk management process should be commensurate with the level of risk.
  • When applied, processes using QRM methodologies should be dynamic, iterative and responsive to change.
  • The capability for continual improvement should be embedded in the QRM process.

Quality Risk Management Process:

QRM is a systematic process of identification, assessment, reduction, acceptance, communication and review of the risks associated with any process or product. Quality risk management should include systematic processes designed to coordinate, facilitate and improve science-based decision making with respect to risk.

A standard Model of QRM process is represented below:

risk-management-process2

Reproduced from reference 5: ICH Q9: Quality Risk Management

It is important to note here that the above-mentioned standard model is for reference purpose. However, firm’s may use their own models too. Also, extent of emphasis on each above-mentioned component may vary from case to case.

One of the important question arises while initiating quality risk management is that who is responsible for carrying out the QRM process?

QRM is not and it should never be a one-man job. It should always be carried out in teams. The team may be Interdisciplinary or Intradisciplinary as per the requirements. The team shall be able to take responsibility for coordinating QRM across various functions and departments of the organization; and assure that a QRM process is defined, deployed and reviewed and that adequate resources are available.

The personnel involved shall have product specific knowledge and expertise. The team may use flow diagram of the process to have a better know how of the process and to ensure all the operational steps are covered.

The cross-functional team shall be able to conduct risk analysis,  identify and analyse potential risks, evaluate risks and determine which ones should be controlled and which ones can be accepted, recommend and implement adequate risk control measures, devise procedures for risk review, monitoring and verification and consider the impact of risk findings on related or similar products and/or processes.

Initiating a Quality Risk Management Process:

The initiation of QRM includes following steps:

  • Defining the problem and/or risk question, including pertinent assumptions identifying the potential for risk;
  • Assemble background information and/ or data on the potential hazard, harm or human health impact relevant to the risk assessment;
  • Identify a leader and necessary resources;
  • Specify a timeline, deliverables and appropriate level of decision making for the risk management

The QRM approach basically consists of following steps:

  1. Risk Assessment
  2. Risk Control
  3. Risk Communication
  4. Risk Review

RISK ASSESSMENT: Risk assessment is a 3-step process which includes identification of risks, followed by their analysis and evaluation. As specified above, the assessment begins with defining the problem. Once the problem is properly defined, it aids in implying the appropriate QRM tool. The three steps of risk assessment are as follows:

  1. Risk Identification: It is a systematic way of using information and resources including historical data, theoretical analysis, informed opinions and stakeholder concerns to identify hazards related to the problem. It addresses the very question that “What might go wrong?”.
  2. Risk Analysis: It is the estimation of the risk associated with the identified risks/hazards. It is the qualitative or quantitative process of linking the possibility of occurrence and severity of harms. The ability to detect the harm (detectability) shall also be considered as one of the factors in estimation of risk. It addresses the very question that “What is the nature of possible risks?”, “What is the probability of their occurrence and how easy is it to detect them?” and “What are the consequences (the severity)?”.
  3. Risk Evaluation: It compares the identified and analyzed risk against given risk criteria.

Risk assessment leads to following outputs:

  1. Quantitative Output: Risk is expressed in terms of numerical probability.
  2. Qualitative Output: Risk is expressed in terms of qualitative values like “High”, “Medium” and “Low” or “Critical”, “Major” and “Minor”.

It should be clearly understood that, the scoring system and trigger points for preventive action are subjective, hence, the rationale for score categorization should be defined in detail. If the score and trigger action are supported by factual evidence it should be more obvious what preventive action is required. It shall be noted that the preventive action is as important as the score assigned.

The output of risk assessment is often arrived on the basis of evaluation of severity, probability of occurrence and probability of detectability.

RISK CONTROL: It is a decision-making process which includes the ways to reduce the risk and /or accept the risk on case to case basis. The reduction of risk involves various steps taken; procedural controls implied so that the identified risk is reduced to an acceptable level. Higher the risk, higher are the level of controls required to reduce it to the acceptable level. As explained, the risk control strategy includes two steps i.e. Risk Reduction and Risk acceptance, the same is explained as following:

  1. Risk Reduction: Actions taken to reduce the risk to an acceptable level forms the basis of risk reduction. As explained previously that risk is assessed on the basis of evaluation of severity, probability of occurrence and probability of detectability. Hence, to reduce risk, the firm shall focus on ways to reduce severity of risk, reduce the probability of occurrence and increase the probability of detection of the risk.

Risk reduction activities usually involve identifying controls and measures which may reduce or control the risk associated with a failure mode or negative event. Risk control activities can serve to determine critical process parameters for certain controls, how they will be monitored, and the level of qualification and validation, if any, which may be required for such controls.

Care shall be taken to document all the risk control measures taken. It is advised that after implementation of risk reduction strategy, one must again perform the risk assessment to identify if any new related risks are identified.

  1. Risk Acceptance: This involves Management’s decision to accept the risk; as sometimes even the best of the risk reduction strategies are unable to completely eliminate the risk. Hence, it is advised that the risk shall be reduced to an acceptable level after implementation of the appropriate risk management strategy.

RISK COMMUNICATION: This involves sharing information with the decision makers and others regarding risk and risk management efforts. Risk communication can be done at any stage of the risk management process. The output/ result of the QRM process should be appropriately communicated and documented.

The interested parties may include various departments within the organization, regulators, patients, physicians, marketing etc.

RISK REVIEW: It is expected that risk management shall be an ongoing part of the quality management process. Appropriate systems should be in place to ensure that the output of the QRM process is periodically monitored and reviewed. The firm shall implement a mechanism to review the risks. It is expected that Risk management strategy once implied might not be performing as desired and requires some alteration or fine tuning. May be with the advent of newer technology, one can imply better control strategies to reduce the risk further. Hence, Risk review is an important risk which may also lead to a situation where one may reconsider the risk acceptance decision.

VARIOUS TOOLS OF RISK MANAGEMENT:

There are various risk management tools that are available and can be implied to assess and mange the risks. Some of the most important risk management tools are as follows:

  1. Basic Risk Management Facilitation Methods (flowcharts, check sheets etc.);
  2. Failure Mode and Effects Analysis (FMEA);
  3. Failure Mode, Effects and Criticality Analysis (FMECA);
  4. Fault Tree Analysis (FTA);
  5. Hazard Analysis and Critical Control Points (HACCP);
  6. Hazard Operability Analysis (HAZOP);
  7. Preliminary Hazard Analysis (PHA);
  8. Risk Ranking and Filtering;
  9. Supporting Quality and Statistical Tools.

The QRM approach may be used to:

  • To systematically analyse products and processes to ensure that the best scientific rationale is in place to improve the probability of success;
  • To acquire sufficient product and process knowledge to assess risks associated with the formulation development;
  • To identify important knowledge gaps associated with processes that need to be understood to properly identify risks;
  • To provide the communication process that will best interface with all relevant stakeholders involved in the QRM activities;
  • To facilitate the transfer of process knowledge and product development history to ease product progression throughout its life-cycle and to supplement already available knowledge about the product;
  • To enable the pharmaceutical industry to adopt a risk-based approach to development;
  • The QRM outputs will potentially serve as reference documents to support product development and control strategy discussions in regulatory filings.

 

Challenges of Quality Risk Management?

There are various challenges being faced while implementation of Quality Risk Management viz.:

  1. Difference in perception of risk: Every individual perceives a risk in their own ways. An event which may be considered as a risk by one individual, may not be a risk at all for another.
  2. Difference in evaluation of risk: Every individual based on his own knowledge and experience may provide different values to the probability of each risk and attribute different severities to each risk.
  3. Data robustness is the most important factor for carrying out risk assessment. Data helps to create a strong base for the assumptions to be made while assessing the risk.

Reference:

  1. ICH Q9 Quality Risk Management
  2. Annexure 2 of WHO Technical Report Series 981